[Bro] Bro performance issues

Tomer Teller djteller at gmail.com
Thu Nov 3 08:16:58 PDT 2011 

PF_RING Version     : 5.0.0 ($Revision: exported$)
Ring slots          : 4096
Slot version        : 13
Capture TX          : Yes [RX+TX]
IP Defragment       : No
Socket Mode         : Standard
Transparent mode    : Yes (mode 0)
Total rings         : 0
Total plugins       : 0

[BroControl] > status
Name       Type       Host       Status        Pid    Peers  Started
manager    manager    localhost  running       13328  3      03 Nov 19:08:41
proxy-1    proxy      localhost  running       13359  3      03 Nov 19:08:43
worker-1   worker     localhost  running       13403  2      03 Nov 19:08:45
worker-2   worker     localhost  running       13402  2      03 Nov 19:08:45


[BroControl] > netstats
  worker-1: 1320362018.486131 recvd=669511 dropped=286 link=669797
  worker-2: 1320362018.686087 recvd=669650 dropped=147 link=669797




On Thu, Nov 3, 2011 at 2:47 PM, Martin Holste <mcholste at gmail.com> wrote:

> What's the output of cat /proc/net/pf_ring/* ?  There should be a file
> per Bro worker in there when Bro is running.
>
> On Thu, Nov 3, 2011 at 6:47 AM, Tomer Teller <djteller at gmail.com> wrote:
> > Thanks for the tip William,
> > This trick doesn't work on Bro2.0
> > I tried both aux_scripts and creating the worker-1.local.bro file
> > I installed the new policy stop/start and again the workers are not
> > load-balancing traffic
> > tcpreplay  -i ethX --mbps=1000.0 680000_packets.pcap
> > [BroControl] > netstats
> >   worker-1: 1320349321.810072 recvd=639496 dropped=30101 link=669597
> >   worker-2: 1320349322.010123 recvd=639549 dropped=30048 link=669597
> > This is Out of the box Bro2.0 with PF_RING and libpcap compiles with
> > PF_RING.
> >
> >
> > On Wed, Nov 2, 2011 at 9:41 PM, William Jones <jones at tacc.utexas.edu>
> wrote:
> >>
> >> Try the following pcap filtering trick:
> >>
> >> ‘
> >>
> >> [manager]
> >>
> >> type=manager
> >>
> >> host=localhost
> >>
> >>
> >>
> >> [proxy-1]
> >>
> >> type=proxy
> >>
> >> host=localhost
> >>
> >>
> >>
> >> [worker-1]
> >>
> >> type=worker
> >>
> >> host=localhost
> >>
> >> interface=em0
> >>
> >> aux_scripts=q1of2
> >>
> >>
> >>
> >> [worker-2]
> >>
> >> type=worker
> >>
> >> host=localhost
> >>
> >> aux_scripts=q2of2
> >>
> >>
> >>
> >> Add the following scripts in  <bro>share/bro/site
> >>
> >>
> >>
> >> q1of2.bro:
> >>
> >> redef restrict_filters += { ["q0"] = "(ip[12:4] + ip[16:4]) & 1 == 0" };
> >>
> >>
> >>
> >> q2of2.bro:
> >>
> >>
> >>
> >> redef restrict_filters += { ["q0"] = "(ip[12:4] + ip[16:4]) & 1 == 1" };
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> This will split input between the two bro workers.
> >>
> >> ~
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> From: bro-bounces at bro-ids.org [mailto:bro-bounces at bro-ids.org] On
> Behalf
> >> Of Tomer Teller
> >> Sent: Wednesday, November 02, 2011 10:46 AM
> >> To: Seth Hall
> >> Cc: bro at bro-ids.org
> >> Subject: Re: [Bro] Bro performance issues
> >>
> >>
> >>
> >> This is my node.cfg config file:
> >>
> >>
> >>
> >> [manager]
> >>
> >> type=manager
> >>
> >> host=localhost
> >>
> >>
> >>
> >> [proxy-1]
> >>
> >> type=proxy
> >>
> >> host=localhost
> >>
> >>
> >>
> >> [worker-1]
> >>
> >> type=worker
> >>
> >> host=localhost
> >>
> >> interface=em0
> >>
> >>
> >>
> >> [worker-2]
> >>
> >> type=worker
> >>
> >> host=localhost
> >>
> >> interface=em0
> >>
> >>
> >>
> >> I am running on Bro 2.0 Beta.
> >>
> >>
> >>
> >> I am replying a 680000 packets pcap file to the machine.
> >>
> >>
> >>
> >> When running broctl's netstats, this is what i see:
> >>
> >>
> >>
> >> worker-1: 1320276618.514073 recvd=669576 dropped=0 link=669576
> >>
> >> worker-2: 1320276618.714115 recvd=669576 dropped=0 link=669576
> >>
> >>
> >>
> >> I expect to see load-balance between worker-1 and worker-2 but they are
> >> getting the same traffic.
> >>
> >>
> >>
> >> I decided to patch Bro in order to "support" that load-balancing.
> >>
> >>
> >>
> >> I edited PktSrc::Process() (PktSrc.cc) and added my own code to
> >> distinguish between processes (i.e. worker-1, worker-2).
> >>
> >>
> >>
> >> Then looked at the data variable, extracted the ip src & dst and checked
> >> for ->  (ipSRC ^ ipDST) % 2 == 0
> >>
> >>
> >>
> >> Worker-1 gets all the Even Result, Worker-2 gets all the Odd Results
> >>
> >>
> >>
> >> Also had to play around with (++stats.received) to reflect the new
> >> changes.
> >>
> >>
> >>
> >> This small patch dramatically improved my performance.
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> On Tue, Nov 1, 2011 at 4:08 PM, Seth Hall <seth at icir.org> wrote:
> >>
> >> On Nov 1, 2011, at 4:26 AM, Tomer Teller wrote:
> >>
> >> > I configured the node.cfg and added:
> >> > 1 manager
> >> > 1 proxy
> >> > 2 workers  - sniffing the same interface
> >>
> >> Could you send the content of your node.cfg file?  I noticed in your
> >> broctl session you sent, there was a reference to worker-3 which isn't
> >> represented in your description.
> >>
> >> Thanks,
> >>
> >>  .Seth
> >>
> >> --
> >> Seth Hall
> >> International Computer Science Institute
> >> (Bro) because everyone has a network
> >> http://www.bro-ids.org/
> >>
> >>
> >
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20111103/20a0e106/attachment.html

More information about the Bro mailing list